Release and Configuration Notes
First Published: 12/1/2021
This document contains system requirements, supported features and bugs for ReSTNSX v4.2
The ReSTNSX appliance no longer ships with a 45 day Evaluation License. Users must email email@example.com to receive a limited, temporary license. In evaluations mode, the following limitations are enforced:
- A limit of two data sources (NSX Managers) can be configured
- Tenants count limited to 2
- No additional users or external auth may be provisioned
- vRNI flows are limited to 15
- ASA import to dFW publish is disabled
- Maximum of 10 workflow items can be published to NSX Manager
- For Operations -> dFW, a limit of 20 rule changes / 4 section changes total is enforced when importing NSX rules from CSV or published to NSX Manager. dFW Mover is limited to 1 Section / 15 rules per instantiation.
- For Operations -> N&S, Mover is limited to 15 objects per instantiation.
In evaluation mode, the default login information is as follows:
Support matrix and system requirements for ReSTNSX.
|ReSTNSX (Small)||3.6+, 4.x||8 vCPU||16GB||50GB|
|ReSTNSX (Med-Large)||3.6+, 4.x||10 vCPU||32GB||100GB|
|vCenter||6.5, 6.7, 7.0||-||-||-|
|NSX Manager (-v)||6.3, 6.4||-||-||-|
|NSX Manager (-T)||2.3, 2.4, 2.5, 3.0, 3.1|
For REST API access, HTTPS (TCP Port 443) must be allowed through any transient firewalls for the ReSTNSX Appliance to access vCenter and NSX Manager. For NSX-T Central CLI and edge node troubleshooting tools, ReSTNSX requires SSH connectivity to the primary NSX Manager / vCenter hosts.
VMCoAWS is supported for direct connect connections and running as an OVA within the compute cluster within a given SDDC. CGW and MGW rules must be added for HTTP for ReSTNSX to connect to NSX Manager and vCenter.
- Chrome 84+ for the best user experience
- Firefox 52+ (Limited Interop Testing)
- Data Sources: Adding data sources (NSX-v and NSX-T) will discover the inventory on the setup process (optional) and display configuration counts as compared to the VMware configuration maximum recommendations.
- Support for NSX-T 3.x Global Manager (Micro-Seg features)
- VM query. For NSX-T based data sources, the VM Query > Security Analysis feature now includes a BOT for collecting dFW data from the ESXi. This BOT will SSH (with user supplied permissions) to the ESXi host and collect a series of troubleshooting output specific to a given VM:
- dFW rules and stats
- Status of dFW
- vNIC Stats
- Objects referenced in dFW rules
- Rule flows
- Packet log
- Output filtering
Object Analyzer (OA)
- dFW and eFW Custom Timeframe. Previously, rule counter / usage was based upon hits since the last time the counters were cleared. This feature allows the user to select a timeframe to analyze stale rules
- PDF Export. In addition to Excel, export results to PDF is now supported.
- Results Cache. Once an analysis has been completed, a user can now return to the OA page at a later date and load the previous results instead of having to re-run the analysis.
Rule Analyzer (RA)
- No new features
Flow Analyzer (vRNI)
- IP Resolution (NSX-T). On the flow collection page, an additional option for converting raw IP to a NSX object is now supported. Users can select one or more rows (flows) and resolve the collected vRNI flow IPs to existing NSX-T NS Groups. Upon publishing the rule, the source/destination raw IP will be replaced with the selected NS Group(s). Note: If an IP resolves to multiple NS Groups, the user can select from a list of which one to use in the rule.
- A new audit file export where the updates made in the latest Policy Engine run for NSX-v dFW rules, IP Sets, Security Groups and Services are reported. The data includes the object definition before and after the policy was run.
- Supported versions for Firewall and Security Group synchronization:
|NSX-v||NSX-T 3.x||NSX-T 2.5||AWS|
- Time stamps. A new, optional column, for NSX-T objects will display in the respective object grid an objects create and modify time stamps
- Relationships. To determine where an object is in use, a OA report would typically need to be run. Under N&S Objects, a tabular and graphic depiction of where an object is in use (Security Groups, Services, IP Sets, Service Groups) is available to easily visualize object relationships and dependencies.
- VM Search. For Security Groups, users can now search for an effective member (Virtual Machine). This feature will search for a given VM across all Security Groups on the NSX Manager using either real-time or cached (reporting) results.
- Custom workflows where an administrator can build a custom workflow with specific permissions. This option allows a workflow creator to define exactly which fields a user can and cannot change. In the example below, an Admin can lock all user fields. Additionally, the drop-downs and text boxes can be set to a specific value that the end user cannot change when they executed the workflow. Currently, this feature is only available for NSX-v.
- Export. The CSV export of dFW rules now provides the option to export the object details. For example, if a rule contains an IP Set, the export will contain the IP Set name, ID and value (ex: 192.168.1.0/24)
- AD Group Sections (NSX-v only)
- In-line editing of a rule for directly adding raw IP, IP Sets, Security Groups and Services. Alternatively, the pop-up window method is still supported.
- In-line adding of a new object (IP Set, Security Group) by selecting the Create New option in the drop-down
- Segment creation for vDS backing now supported.
- Attachment of VMs to Segments (single or multiple) can now be done through point and click
- NSX-T Edge Firewall BOT. This BOT will automatically connect (via SSH) to an edge VM and collect a series of commands for troubleshooting
- Topology and Fabric
- View mode of the NSX fabric (edge nodes, vCenter, etc..)
- View / Edit mode (released as a beta feature) of the routing topology (Tier 0, Tier 1, Segments, VMs) where a user can drag an object from the object inventory to create in NSX-T. For example, drag a segment onto a Tier 1, name it and it will be created and associated automatically.
- Object Definition. Runbooks and System Reports now contain further object definition for Security objects. This data includes the effective members at the time of the report.
- Export Formats. Excel and Word are now export options for System Reports
- System report notification maximum email destinations increased to 25 from 3
- While editing a NS Group in the Tenant space, a Segment Port Tag is a new option for a user to add as criteria. Note that the Tenant will only see Segment Ports with their ReSTNSX tag.
- Work Authorizations have been extended to the Tenant space for the administrator to approve/reject Tenant objects/rules before any edits are implemented. Task approval will be Tenant’s admin and System admins. The Implementer will be the same as the Requester but It can be overridden if there is any setting found for that entity in Authorization Screen under System Admin.
- Tenant NS Group. A few feature allows a Tenant, within a NS Group, to reference other existing VM tags for the same Tenant (ex: other Tenant VMs that may have other tags applied). As long as a VM has the Tenant tag and scope ReSTNSX Multi-Tenant, the Tenant NS group will show it as an available option from the drop-down
Enterprise license support. Beginning with ReSTNSX 2.2, customers will have the option of a Standard or Enterprise license. Standard licenses enable all the core features of the platform whereas Enterprise provides advanced functionality such as NSX Mover and Multi-Tenant Administration without requiring separate feature licenses for each capability. To learn more about the different ReSTNSX licensing options, please visit the licensing page.
Note: NSX Mover is available in the current release as a tech preview for non-Enterprise licensed customers. Future releases will require Enterprise licensing to enable this feature
ReSTNSX provides an easy way to query both NSX and vCenter objects quickly and easily. On every page within the application, users can slide out the Query tab to perform inventory searches. Within that same window, users are able to export the data to CSV, Excel, PDF and the system clipboard for use in ReSTNSX workflows.
- VM queries against NSX 6.4 Managers will show the corresponding IP address(es) for any given VM
- With a single click, all searches in query will run and the resulting CSV data will be zipped and downloaded to the user's desktop
- All CSV exports are now ReSTNSX workflow compatible. Users can export data from Query and use them in workflows with little editing of the data
Query Support for NSX-T Objects
- IP Pools
- IP Sets
- Layer 3 Sections (Policies)
- Logical Switches (Segments)
- Service Groups (N/A for Policy)
- Tier 0 Routers
- Tier 1 Routers
Query Support for NSX-v Objects
- IP Pools
- IP Sets
- Layer 3 Sections
- Load Balancers
- Logical Switches
- Logical Routers
- Security Groups
- Security Tags
- Service Groups
- Transport Zones
Query Support for vCenter Objects
- Virtual Machines. Note: VM list is the inventory as reported by NSX Manager
Central CLI (NSX-v, NSX-T)
ReSTNSX's Central CLI provides web-based (HTTPS) API-driven access to the NSX Manager CLI without the need for SSH or leaving the web UI for troubleshooting NSX.
- Easy buttons allowing users to click an icon to run pre-defined CLI commands such as "show logical-switch list all" without typing one character.
- Enhanced command output with Intelligent Hyperlinks that allows easy buttons to run additional nested commands that are context aware.
- For any CLI command, users can save the commands for future use with a single click.
- Color picker for saving text, hyperlink and background color. These settings are saved per user.
API Scout (NSX-v, NSX-T)
API Scout provides in-application access to the NSX Manager and vCenter APIs without having to use an external client. Based upon the active data source, users can perform GET, PUT, POST functions without the complexity of auth/session cookies or having to leave the UI for API access. Additionally, common API calls for each data source type are provided for easy access.
Personal favorites can also be stored. The URI is stored in the user profile along with personalized, searchable URI history
Security Planner (NSX-v, NSX-T)
ReSTNSX's Security Planner integrates into VMware's vRealize Network Insight (vRNI) platform for easy firewall rule creation in NSX Manager. With this integration, Security Planner will connect to vRNI via API methods to collect IP flow information based upon vCenter cluster and time range (up to 30 days prior to the current date). Upon collecting the data, flows are automatically de-duplicated with additional options for the user to optimize the flows. In the initial release of Security Planner, flows with like IP destinations are automatically combined.
Users can publish the same analyzed flows against NSX-v and NSX-T. Additionally, users are able to apply flow filters to exclude specific IP sources, destinations or TCP/UDP ports to narrow the flow collection.
Once the flows are collected, the processed flows are displayed for further editing:
- Drag/drop rules to combine together
- Multi-select of rules to combine together
- Single or multi-select of rules to transform IP Source and/or destination to IPSets
- When connected to NSX Managers of version 6.4 or greater, users may choose to resolve the raw IPs to VM-IDs to be used in the rule set
These rules are now ready to publish to NSX Manager. Select individual or all rules to be published. Upon doing so, a new Section in dFW will be created at the top of the rule set. In this section, all vRNI flows that were selected are present.
Note: Upon publish, all rules in this new section are disabled by default. To enable the rules, click the global select box and "Enable Selected" from the global drop-down menu.
ReSTNSX Operations provides real-time, instant creation, modification and deletion of NSX objects. In comparison to work-flows with bulk object creation and roll-back, Operations is designed for performing the typical Day 2 tasks and common management functions. Operations is divided up into NSX System for managing the NSX Manager settings and Networking/Security Objects; Networking for logical switching, DLR and ESG management; Security for dFW and eFW; and Load Balancing.
Real-time operations for NSX Manager settings
- Network settings, including IP, DNS, NTP and Syslog
- Security modes (FIPS) and Cipher selection
- Service status and status toggle for vPostgres, RabbitMQ, Universal Synch, Management, SSH and Lookup URL
- Backup settings, including FTP server, scheduling and items to be excluded
Real-time operations for dFW
Create, Edit, Delete, Import and Export (via CSV and point-click) dFW rules.
Support for firewall generation and object generation numbers to see if the firewall rule has been successfully published to the hosts and clusters. If they are out of synch, the host or cluster will be marked orange with the user's ability to force a re-synch of the rules and objects.
Support for dFW mover to copy sections, rules and dependent objects between NSX Managers.
dFW Mover copies L3 Rules and Sections from a source NSX manager to one or more NSX Managers. Below are application notes related to behavior between the source and destination sections
Sections and Rules: Matched by Name
If matched, the section on the target manager will be replaced with the same rule names
Else, the new section will be created to the top of the dFW section list
Objects referenced in the rule: Matched by Name
If the source object matches the destination object name, Mover will use the existing destination object.
Supported objects include:
Edge Service Gateways
Else, the user has the option to create the dependant object on the target.
Supported objects include:
Import and Export (via CSV) is another option for copying rules between NSX managers. When exporting rule sets from dFW Operations into a ReSTNSX compatible template, you can use the file for importing into other NSX Managers via two methods
- dFW Operations. Once a user exports the current rule set from the main menu (Global Actions -> Export Rules (CSV)), the file can be stored for use against other NSX Managers by selecting a new data source and importing by clicking Global Actions -> Import Rules (CSV). The user is then presented an option to Merge or Replace the rules on import.
- dFW Workflow. Using the same export for Global Actions -> Export Rules (CSV), users can navigate to Predefined Calls -> Security -> dFW and import the ruleset into a workflow for publishing against NSX.
Note: For CSV export, rule names with commas is not supported as it will create conflicts in the comma-based CSV import/export.
dFW Exclusion Management
VM exclusion lists just got easier with a table-based view to easily add / remove VMs from the dFW exclusion list. With this new feature, users can easily filter based upon VM name and select / multi-select adding or removing from the exclusion list.
VM Troubleshooter / Analyzer
Real-time visibility into VM Security Status
Within dFW, users can now select an individual VM to analyze its security posture - including which Security Groups and dFW Sections / Rules it belongs to; the current status of dFW rules and objects on the host where it resides and the ability to download a copy of the installed dvFilter information. Additionally, a visualization of the same security posture data in a relationship diagram is provided.
Networking and Security Objects - N&S - (NSX-v, NSX-T)
Real-time operations for N&S objects
Create, Edit and Delete N&S objects instantly through ReSTNSX. The following objects are supported in this release:
- IP Pools
- IP Sets
- Security Groups
- Security Tags
- Security Tag associations
- Service Groups
- Create, Edit, Delete - Logical Switches
- Attach / Detach virtual machines
- Create, Edit, Delete - Transport Zones
- Edit Segment IDs
- Create, Edit, Delete - DLRs
- Create, Edit, Delete - ESG Templates
- Edit Logical Switch associations
Real-time operations for NSX Load Balancers
Within ReSTNSX, users can now create, edit and operate their NSX load balancers easier than ever before. In a single dashboard, users can monitor critical alerts and manage all edge load balancers of a given NSX domain.
For creating new load balancers, ReSTNSX provides a 5 step create wizard that will build and deploy load balancers quickly and easily. Every step required for a valid configuration is provided.
ReSTNSX also provides full life-cycle management of NSX load balancers. Within the dashboard, users can: Create, Edit and Delete:
- Virtual Servers
- Application Profiles
- Server Pools
- Application Rules
- Service Monitors
Diagnostics and Troubleshooting
In addition to the dashboard metrics, ReSTNSX provides a load balancer troubleshooting tool that will run a series of diagnostic commands to help isolate problems. The tool performs a series of CLI-based troubleshooting commands and presents the output while highlighting potential configuration issues. The tool can be run on a virtual server by virtual server basis and provide insight into problem areas within seconds.
- Note: In v2.6, Pool side certificates are not supported for Pool-side SSL
Real-time replication of Networking and Security N&S Objects
With NSX Mover, Administrators can easily copy N&S objects and dFW rules between NSX Managers of the same or different type instantly. Objects are copied in real-time to the destination NSX-v or NSX-T Manager without having to login to the remote system. Copying can be done from source to one or many remote NSX Manager(s). If the data sources (NSX Managers) are configured into Groups, users are able to select the Group and ReSTNSX will copy the objects and/or firewall rules to multiple destinations at once.
Migrate vCenter VM Tags to NSX Security tags. Any VM Tag that exists in vCenter can be migrated to NSX Security Tags and applied to a VM in one easy step. Navigate to Operations -> N&S Objects -> Tags and select "Import VM Tag" from the main menu to select a VM Tag. Note: only VM Tags currently applied to VMs will be imported. Upon importing and conversion of the tag to a security tag, it will automatically be applied to the same VM the vCenter tag was applied to.
Users can select a single or multiple dFW rules and/or sections to copy across Managers.
To access the Mover tool, navigate to the N&S object types of interest in your origin datasource, select a single or multiple object, and navigate to the drop-down menu and select "Copy Selected To..."
Supported objects types are listed below. To learn more about NSX Mover, please see the ReSTNSX Overview page.
|Object||NSX -v 6.3||NSX -v 6.4||NSX -T 2.2+|
|Service Groups *||Y||Y||Y|
|Security Groups* , **||Y||Y||N|
* NSX Mover's analytics engine determines if dependent objects exist and will prompt the user if they wish to create the dependent objects on the destination system. Examples of objects that could have dependencies include Service Groups and Security Groups where they may be referencing other objects that do not yet exist.
** NSX Mover supports Security Groups for migrating dependent objects such as IPSets and Security Tags. Logical Switches and Virtual Machines will be supported in future release.
Administrators, Auditors and IT Managers now have access to a unified reporting fabric to gain visibility into all of the ReSTNSX managed domains - regardless of NSX version or location. ReSTNSX now provides three report types:
System Reports - Environment summary, service status and configuration details of each NSX Manager under ReSTNSX management are provided by a daily report or on-demand. Difference reports that will highlight the NSX configuration differences between the latest collected inventory and service status with the previous collections. Users may also select custom retention intervals. The default storage policy is to retain the previous 14 days of configurations for comparison. The maximum allowed setting is 180 days.
Activity Reports - Filtered real-time, system log events that can be sorted by username for insight into a user’s action over time.
Tenant Reports - A combination of the System and Activity reports. Data is filtered to provide insight into any given ReSTNSX configured tenant. Similar to the System reports, the Tenant report provides Administrators and Auditors a configuration summary on a tenant-by-tenant basis. Tenant reports reflect real-time information for configuration and user activity.
ReSTNSX now provides a central repository for CSV Configuration Files. In addition to uploading the CSVs directly into a given workflow, users can now also reference the files stored on the ReSTNSX appliance. Users are also able to upload multiple types and versions of files that can be re-used in workflows by multiple users.
Upgrades to ReST NSX leverage configuration export for easy migrations. When exported, the following information is retained:
- Local Users
- Saved Workflows
- Custom Wizards
- Tenant Information
- Data Sources
- System Settings
- CSV Workflow Files
- Central CLI Favorites
By exporting this information, upgrades are performed in parallel to the production platform. Once the new version of ReSTNSX is online, simply import the previously exported configuration file and the system is online. Administrators can manage the same NSX environment(s) with both ReSTNSX versions at the same time and
Note: When both systems are online, configuration settings are not synchronized between the different versions and must be maintained separately until the old version is decommissioned.
For a step-by-step upgrade, please refer to the ReSTNSX Upgrade Guide